search

cfrg / draft-irtf-cfrg-aegis-aead

Specification for the AEGIS family of authenticated encryption algorithms.
https://cfrg.github.io/draft-irtf-cfrg-aegis-aead/draft-irtf-cfrg-aegis-aead.html
Other
10 stars 2 forks source link

Mention that different variants produce different [ciphertexts and] tags #16

Closed jedisct1 closed 11 months ago

jedisct1 commented 11 months ago

It's not clear that the parallelism degree affects not only performance, but also the output.

We should mention somewhere that for a given (key,nonce,ad,msg), different parallelism degrees can produce different authentication tags.

If #14 is merged, we should extend that to the ciphertexts.

What would be the best place for that? In the security considerations?

samuel-lucas6 commented 11 months ago

Yes, that makes sense. I think it could go there. We haven't mentioned that different associated data affects the ciphertext for the standard variants either have we? Perhaps we could mention both in one paragraph.

jedisct1 commented 11 months ago

We haven't mentioned that different associated data affects the ciphertext for the standard variants either have we?

We haven't, but if we do, we should be cautious and set the preconditions for that to hold true. It can be a little bit complicated and confusing.

The AD and the message are absorbed the same way.

Which implies that Enc(ad=AA...ABB...B, msg=CC...CDD...D) produces the same ciphertext as Enc(ad=AA...A, msg=BB...BCC...CDD....D) for DD....D.